Full text of "USPTO Patents Application 10066140"

See other formats

v t 

01/13/2006 16:45 FAX 8586785099 



FISH AND RICHARDSON 



11)004 



Attorney's Docket No,: 10559-755001/P13653 

Intel Corporation 

Amendment to the Claims : 

This listing of claims replaces all prior versions, and 
listings, of claims in the application: 

1. (original) A machine- implemented method comprising: 
receiving requests for network communication services from 

an invoked application; 

selectively designating each of thrs received requests as 
authorized or unauthorized based on an application-specific 
network policy; and 

monitoring inbound network communications , based on the 
authorized requests, to detect an intrusion. 

2. (original) The method of claim 1, wherein monitoring 
inbound network communications comprises: 

blocking the inbound network communications that fail to 
correspond to an authorized request; and 

monitoring the blocked inbound network communications to 
detect an intrusion. 

3. (original) The method of claim 2, wherein monitoring 
the blocked inbound network communications comprises: 

examining the blocked inbound network communications to 
detect an intrusion prelude; 



2 



PAffi 4/26 f RCVD AT 1/13/2006 7^3:25 PM [Eastern Standard Timel 1 SVR:USPTO»EFXRF-6/24 * DNiS:27M300 * CSID:8586785099 * DURATION ^nm«ss):16»10 



01/13/2006 16:46 FAX 8586785099 FISH AND RICHARDSON ©005 

Attorney's Docket NO- : 10559-755001/P13653 

Intel Corporation 

identifying a source for a detected intrusion prelude; and 
initiating monitoring of inbound network communications 
from the identified source. 

4. (original) The method of claim 3, wherein examining the 
blocked inbound network communications comprises checking for 
patterns spanning multiple communications « 

5. (original) The method of claim 4, wherein monitoring 
the blocked inbound network communications further comprises 
generating fabricated responses to the blocked inbound network 
communications . 

6. (original) The method of claim 3, wherein the 
monitoring of inbound network communications from the identified 
source comprises checking the inbound network communications 
from the identified source for packet-level exploits. 

7. (original) The method of claim 1 # further comprising 
increasing a monitoring level for network communications for the 
invoked application in response to one or more unauthorized 
requests. 



3 



PAGE 5/26 * RCVD AT 1/13/2006 7:43:25 PM [Eastern Standard Time] ' S VR: USPTO-EFXRF-6/24 1 DN1S:27$3Q0 1 CSID:8586785099 ' DURATION (mm-ss):1(M 0 



01/13/2006 16:47 FAX 8586785099 FISH AND RICHARDSON @)006 

Attorney's Docket No.: 10SS9-755OO1/P13653 

Intel Corporation 

8. (original) The method of claim 7, wherein increasing a 
monitoring level for network communicat Lons for the invoked 
application comprises initiating monitoring of the network 
communications for the invoked application using an application- 
specific intrusion signature. 

9. (original) The method of claim 8, further comprising 
identifying the invoked application by t*xamining a set of 
instructions embodying the invoked application. 

10. (original) The method of claim 9, wherein monitoring 
of the network communications for the invoked application 
comprises monitoring in an intrusion detection system component 
invoked with the invoked application. 

11. (original) The method of claim 10, wherein the 
intrusion detection system component and the invoked application 
run within a single execution context. 

12. (original) The method of claim 9, wherein examining 
the set of instructions comprises: 

applying a hash function to the set: of instructions to 
generate a condensed representation; and 



4 



PAGE 6(26 1 RCVD AT 111312006 7:43:25 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-6i24 1 DNIS:2738300 * CSID:8586785099 1 DURATION (mm-ss):16»10 



01/13/2006 16:47 FAX 8586785099 FISH AND RICHARDSON 12)007 

Attorney's nocket No.: 10559-755001/P13653 

Intel Corporation 

comparing the condensed representation with existing 
condensed representations for known applications . 

13. (original) A machine- implemented method comprising: 
identifying an invoked application; 

receiving requests for network communication services from 
the invoked application ; 

selectively designating each of th^ received requests as 
authorized or unauthorized based on an application-specific 
network policy; 

blocking inbound network communications that fail to 
correspond to an authorized request; 

monitoring the blocked inbound network communications to 
detect an intrusion; and 

initiating monitoring of network communications for the 
invoked application using an application-specific intrusion 
signature in response to one or more unauthorized requests. 

14. (original) The method of claim 13, wherein monitoring 
the blocked inbound network communications comprises: 

examining the blocked inbound network communications to 
detect an intrusion prelude ; 

identifying a source for a detected intrusion prelude; and 



5 



PA(2 7/26 * RCVD AT 1/13Q006 7:43:25 PM [Eastern Standard Time] * SVR:USPTO*FXRF4/24 * DWS:2738300 1 CSID:8586785099 * DURATION (mn«s):16-10 



01/13/2006 16:48 FAI 8586785099 FISH AND RICHARDSON 0008 

Attorney's Docket No.: 10559-755001/P136S3 

Intel corporation 

initiating monitoring of inbound network communications 
from the identified source. 

15. (original) The method of claim 14, wherein identifying 
the invoked application comprises examining a set of 
instructions embodying the invoked application. 

16. (original) The method of claim 15, wherein examining 
the blocked inbound network communications comprises checking 
for patterns spanning multiple communication. 

17. (original) The method of claim 16, wherein monitoring 
the blocked inbound network communications further comprises 
generating fabricated responses to the blocked inbound network 
communications . 

18. (original) The method of claim 15, wherein monitoring 
of inbound network communications from the identified source 
comprises checking the inbound network communications from the 
identified source for packet-level exploits. 

19. (original) The method of claim 18, wherein examining 
the set of instructions comprises: 



6 

PAGE 806 a RCVD AT 1/13/2006 743:25 PM [Eastern Standard Time] # SVR:USPTO€FXRF-6f24 a DriIS:2738300 1 CS!D:8586785099 * DURATION (mnfK5S):1M0 



01/13/2006 16:48 FAI 8586785099 FISH AND RICHARDSON @009 

Attorney's Docket No. 5 10559-755001/P13G53 

Intel Corporation 

applying a hash function to the set: of instructions to 
generate a condensed representation; and 

comparing the condensed representation with existing 
condensed representations for known appiieations . 

20. (original) The method of claim 19, wherein monitoring 
of the network communications for the invoked application 
comprises monitoring in an intrusion detection system component 
invoked with the invoked application. 

21. (original) The method of claim 20, wherein the 
intrusion detection system component and the invoked application 
run within a single execution context - 

22. (original) A system comprising; 

an application network policy enforcer, which services 
network requests from an application invoked on a machine, 
identifies the network requests that fail to satisfy an 
application-specific network policy, and identifies the network 
requests that satisfy the application-specific network policy; 

a network traffic enforcer, which blocks inbound network 
traffic that does not correspond to the network requests 



7 

PAGE 9/26 * RCVD AT 1/13f2006 7^3:25 PM [Eastwn Standard Time] ' SVR:USPTO€FXRF-e/24 s DN1S:2738300 s CSK):85S6785099 a DURATION (nm^s): 16-10 



01/13/2006 16:49 FAX 8586785099 FISH AND RICHARDSON ElOlO 

Attorney's Oocket tfo. : 10SS9-755001/P13653 

Intel Corporation 

identified by the application network policy enforcer as 
satisfying the application- specific network policy; and 

an intrusion detector, which responds to the network 
requests identified by the application network policy enforcer 
as failing to satisfy the application-specific network policy, 
and which responds to the inbound network traffic blocked by the 
network traffic enforcer. 

23. (original) The system of claim 22, wherein the 
intrusion detector comprises: 

a first component that responds to the network requests 
identified as failing to satisfy the application-specific 
network policy by monitoring traffic for the invoked 
application, wherein the first component shares a software 
module with the application network policy enforcer; and 

a second component that responds to the blocked traffic by 
monitoring traffic for an identified source of an intrusion 
prelude detected in the blocked traffic, wherein the second 
component shares a software module with the network traffic 
enforcer. 

24. (original) A system comprising: 



8 



PAGE 1 0/26 ' RCVD AT 1/13/2008 7:43:25 PM [Eastern Standard Tone] 1 SVR:USPTO€FXRF-6/24 ft DNIS:2738300 t CSID:8586785099 t DURATION (mm-ss):1M0 



01/13/2006 16:50 FAI 8586785099 FISH AND RICHARDSON ©Oil 

Attorney's Oocket No.* 10559-755001/P13653 

Intel Corporation 

means for servicing network requests from an application 
invoked on a machine; 

means for authorizing the network requests using an 
application- specific network policy; 

means for blocking traffic that does not correspond to an 
authorized request; 

means for monitoring blocked traf f Lc to identify an 
intrusion prelude and to identify abnormal application behavior? 

means for detecting an intrusion in response to an 
identified intrusion prelude; and 

means for detecting an intrusion in response to identified 
abnormal application behavior. 

25. (original) The system of claim 24 , wherein the means 
for detecting an intrusion in response to an identified 
intrusion prelude comprises means for detecting packet-level 
exploits for traffic from an identified source of the identified 
intrusion prelude, and wherein the means for detecting an 
intrusion in response to identified abnormal application 
behavior comprises means for detecting application- specific 
intrusion signatures for traffic corresponding to an abnormally 
behaving application, the system further comprising: 



9 



PAGE 11/26 1 RCVD AT 1/13/2005 7:43:25 PM [Eastern Standard Time] ' SVR:USPTOff XRF-6/24 * DN1S:2738300 * CSID;8M678M99 * DURATION (mm-ss);1M0 



01/13/2006 16:50 FAX 8586785099 FISH AND RICHARDSON @012 

Attorney's OoaKet tfo. x 10559-755001/P13653 

Intel Corporation 

means for generating a fabricated response to blocked 
traffic to gain knowledge about a potential intruder; and 
means for responding to a detected intrusion. 

26. (original) A machine -readable medium embodying machine 
instructions for causing one or more machines to perform 
operat i one compr i s ing : 

identifying an invoked application; 

receiving requests for network comiaunication services from 
the invoked application; 

selectively designating each of thr* received requests as 
authorized or unauthorized based on an application-specific 
network policy; 

blocking inbound network communications that fail to 
correspond to an authorized request;. 

monitoring the blocked inbound network communications to 
detect an intrusion; and 

initiating monitoring of network communications for the 
invoked application using an application- specific intrusion 
signature in response to one or more unauthorized requests. 



10 

PAGE 1 2/26 1 RCVD AT 1/1 3/2006 7:43:25 PM [Eastern Standard Time] s SVR:U»>TO-EFXRF-6/24 " DNiS:2738300 ' CSID:858678»)99 ' DURATION (mm-ss): 16-10 



01/13/2006 16:51 FAX 8586785099 FISH AND RICHARDSON ©013 

Attorney's Docket No. s 10559-755001/P13653 

Intel Corporation 

27. (original) The machine-readable medium of claim 26, 
wherein monitoring the blocked inbound network communications 
comprises : 

examining the blocked inbound network communications to 

detect an intrusion prelude ; 

identifying a source for a detected intrusion prelude; and 
initiating monitoring of inbound network communications 

from the identified source. 

28. (original) The machine -readable medium of claim 27, 
wherein identifying the invoked application comprises examining 
a set of instructions embodying the invoked application. 

29. (original) The machine -readable medium of claim 28, 
wherein monitoring of inbound network communications from the 
identified source comprises checking thi; inbound network 
communications from the identified source for packet-level 
exploits. 

30. (original) The machine -readable medium of claim 29, 
wherein examining the set of instructions comprises; 

applying a hash function to the sen of instructions to 
generate a condensed representation; and 



11 



PAGE 13/26 1 RCVDAT 1/13/2006 7:43:25 PM [Eastern Standard Time] 1 SVR:USPT05)®F-6/24 ' DM8:2738300 1 CSID:858fi785099 * DURATION (mnBS):1M0 



01/13/2006 16:51 FAX 8586785099 FISH AND RICHARDSON 12)014 

Attorney's Docket No. ; 10559-755001/P13653 

Intel Corporation 

comparing the condensed representation with existing 
condensed representations for known applications. 

31. (original) A machine -implemented method comprising: 
blocking inbound network communications that fail to 

correspond to a network policy; 

detecting a potential intrusion prelude from the blocked 
inbound network communications; 

selectively generating a fabricated response to the 
detected potential intrusion prelude; and 

receiving information about a potential intruder in 
response to the generated fabricated response. 

32, (original) The method of claim 31, wherein the network 
policy comprises an application- specif ic network policy, the 
method further comprising: 

receiving requests for network communication services from 
an invoked application; 

selectively designating each of th<» received requests as 
authorized or unauthorized based on the application-specific 
network policy; 

monitoring the blocked inbound network communications to 
detect an intrusion; and 



12 



PACE 14/26 1 RCVD AT 1/13/2006 7:43:25 PM [Eastern Standard Time] ' SVR:U$PTO-ff XRF-6/24 1 DN1S;2738300 1 CSID:858678M89 ' DURATION (mnws);1(M0 



01/13/2006 16:52 FAX 8586785099 



FISH AND RICHARDSON 



@015 



Attorney's Docket No.: 10559-755001/P13653 

Intel Corporation 

associating the information about the potential intruder 
with a detected intrusion. 

33. (original) The method of claim 32, wherein monitoring 
the blocked inbound network communications comprises: 

examining the blocked inbound network communications to 

detect an intrusion prelude; 

identifying a source for a detected intrusion prelude; and 
initiating monitoring of inbound network communications 

from the identified source. 

34. (new) The method of claim 13, wherein the application- 
specific intrusion signature is loaded from a central security 
server. 

35. (new) The machine- readable medium of claim 26, wherein 
the application-specific intrusion signature is loaded from a 
central security server. 



13 

PAGE 15/26 1 RCVD AT 1/13/2006 7:43:25 PM [Eastern Standard Time] * SVR:USPTO£FXRF-6/24 1 DMS:2738300 1 CSiD:8586785099 1 DURATION (mnws);1M0
Internet Archive Audio

Featured

Top

Images

Featured

Top

Software

Featured

Top

Books

Featured

Top

Video

Featured

Top

Mobile Apps

Browser Extensions

Archive-It Subscription

Save Page Now

Full text of "USPTO Patents Application 10066140"

See other formats
